Bhutto Assassination: JavaScripted

Cybercriminals wasted no time riding on the tragic and shocking news of former Pakistan Prime Minister Benazir Bhutto’s assassination, as Websense discovered a number of malicious Web sites that came up on Google search results using the simple search term “benazir.” These sites attempt to infect users who want to know more about the unfortunate incident.

TrendLabs researchers found that one of the sites in question indeed has an embedded malicious JavaScript redirect, which Trend Micro detects as JS_AGENT.AEVE.

The malicious script downloads a Trojan (already detected TROJ_SMALL.LDZ), which in turn downloads more malicious files, namely WORM_HITAPOP.O and TROJ_AGENT.AFFR.

A graphical representation of this routine is as follows:

Upon further investigation, however, TrendLabs found that there is a host of other news sites and blogs taking advantage of this news.

Moreover, the malicious JavaScript is apparently not exclusive to news sites — it is also present in other Web sites with a broad scope of topics and interests. There are many other sites that have been possibly compromised (or that include the malicious JavaScript), including Autoworld, Vino, Dogpile, MSN, BlogSpot (yes, again), etc.

According to Trend Micro Advanced Threats Researcher Paul Ferguson, searching for this same malicious JavaScript code URL (the malicious script) yields 4,240 results. If the search is narrowed down to also include “benazir,” there would be only 103 results.

All related malicious URLs are already blocked by the Content Security Team and are thus inaccessible to Trend Micro customers.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: